SRX

Hi All

I have a Srx 240 which is seperating a lan and a wan.

When a user on the lan wants to vpn to a vpn outside of my network the SRX is port xlating the gre connection as shown below , and then the gre connecton fails , how does setup a outbound static nat or stop it from translating the source port ?

  Session ID: 7591, Policy name: MS_VPN_Outbound_Access/6, Timeout: 1800
  In: y.y.y.y/2048 --> x.x.x.x/2048;gre, If: ge-0/0/0.0
  Out: x.x.x.x/2048 --> z.z.z.z/49070;gre, If: ge-0/0/3.0

Hello there,

There are no ports in GRE protocol so if you are using a single NAPT pool for TCP/UDP/ICMP and GRE, you will need to do this:

1/ create a custom application matching on protocol 47. You can also define a custom idle-timeout for GRE if you want to

2/ create a separate pool for statically NAT-ing only GRE

3/ create a NAT rule matching on newly created GRE application and "then static-nat" action

The static NAT configuration example

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/configuring-staticnat-srx-example.html

Good luck!

Rgds

Alex

Hi

I'm abit confused becuase I can't apply pools to static nats , I can only specify a destinatination address and then static nat to a prefix.

How do you map the pool to the static nat ?

Of course.

In JUNOS-ES you can only statically NAT to a prefix, not a pool.

My bad

Here is the corrected procedure:

1/ create a custom application matching on protocol 47. You can also define a custom idle-timeout for GRE if you want to

2/ define a separate prefix for statically NAT-ing only GRE

3/ create a NAT rule matching on newly created GRE application and "then static-nat prefix" action

Rgds

Alex

I still can't use the custom gre app on teh nat rule , please see below how my nat rule looks like:

rule-set gre {
    from zone trust;
    rule grenat {
        match {
            destination-address ip_address_of_outbound_vpn_server/32;
        }
        then {
            static-nat prefix public_ip_of_srx_device/32;
        }
    }
}

That would work if your users only have to connect to "ip_address_of_outbound_vpn_server/32". 

After reading http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf I have a better idea.

Let me know if following would work:

set applications application GRE-ALG protocol gre
set security nat pool gre-nat-pool-1 address <first public IP> to <last public IP>
set security nat pool gre-nat-pool-1 port no-translation
set security nat source rule-set rs1 from zone trust
set security nat source rule-set rs1 to zone gre-zone
set security nat source rule-set rs1 rule r1 match source-address <your private block>
set security nat source rule-set rs1 rule r1 match destination-address 0.0.0.0/0
set security nat source rule-set rs1 rule r1 then source-nat gre-nat-pool-1
set security policies from-zone trust to-zone gre-zone policy gre-out match source-address <your private block> destination-address any application GRE-ALG
set security policies from-zone trust to-zone gre-zone policy gre-out then permit

 Also, you have to create zone "gre-zone" and appropriate policies.

Rgds

Alex

.

Thanks got it working , that pointed me in the right direction , I did however struggle to get the new source nat to take preference over the general outbound nat for all traffic , is there a better way to change the order they are read apart from deleting the initial one and recreating it becuase I also tried to insert the new rule above the old one but the new rule still didnt match.

Hello there,

The NAT type determines the order in which NAT rules are processed. During the first packet processing for a flow, NAT rules are applied in the following order:

   1. Static NAT rules
   2. Destination NAT rules
   3. Route lookup
   4. Security policy lookup
   5. Reverse mapping of static NAT rules
   6. Source NAT rules

Static NAT and destination NAT rules are processed before route and security policy lookup. Static NAT rules take precedence over destination NAT rules. Reverse mapping of static NAT rules takes place after route and security policy lookup and takes precedence over source NAT rules. Source NAT rules are processed after route and security policy lookup and after reverse mapping of static NAT rules. 

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/understand-nat-rule-sets-section.html

Basically, if you are doing GRE static NAT it should take precedence. If you are doing source NAT with PAT disabled then the following match rules apply:

Source NAT rule set matching is more complex because you specify both source and destination conditions in a source NAT rule set. In the case where a packet matches more than one source NAT rule set, the rule set chosen is based on the following source/destination conditions (in order of priority):

   1. Source interface/destination interface
   2. Source zone/destination interface
   3. Source routing instance/destination interface
   4. Source interface/destination zone
   5. Source zone/destination zone
   6. Source routing instance/destination zone
   7. Source interface/destination routing instance
   8. Source zone/destination routing instance
   9. Source routing instance/destination routing instance

 So please try to make your NAT rules as specific as possible in order to avoid GRE packet matching the wrong rule.

Rgds

Alex

Would this work if using interface nat between trust and untrust (WAN) and needing to use GRE?

Just working through this for ourselves.

The line: set security nat source rule-set rs1 rule r1 then source-nat gre-nat-pool-1

Should read:

set security nat source rule-set rs1 rule r1 then source-nat pool gre-nat-pool-1 (at least for JunOS 11.4+)

This is our commandset but when applying it doesn't seem to work.

Error:

  'policy gre-out'
    Address or address_set (w.x.y.126) not found.
error: configuration check-out failed

set applications application GRE-ALG protocol gre
set security nat pool gre-nat-pool-1 address w.x.y.124/30
set security nat pool gre-nat-pool-1 port no-translation
set security nat source rule-set gre1 from zone ServiceX
set security nat source rule-set gre1 to zone untrust
set security nat source rule-set gre1 rule r1 match source-address w.x.y.126
set security nat source rule-set gre1 rule r1 match destination-address 0.0.0.0/0
set security nat source rule-set gre1 rule r1 then source-nat pool gre-nat-pool-1
set security policies from-zone ServiceX to-zone untrust policy gre-out match source-address w.x.y.126 destination-address any application GRE-ALG
set security policies from-zone ServiceX to-zone untrust policy gre-out then permit

w.x.y.:
.124/30 network
.125 port ge-0/0/0
.126 device connected to ge0/0/0

We have a device on ge-0/0/0 on zone ServiceX with a Public I.P, the untrust zone port is ge-4/0/0 and our GRE tunnel fails to receive information from the device (a MicroTik router) on ge-0/0/0

Any assistance would be appreciated.

Regards,

Bevan